Photo: ShutterstockUnprepared for a Cyberattack? The DOJ Wants to Change That
New U.S. Department of Justice cybersecurity guidelines stress preparedness amid reports that many organizations have failed to plan for a breach.
October 16, 2018 at 03:12 PM
5 minute read
Data protection tips are virtually everywhere these days. From emails and news feeds to blog posts and reports, the world is awash in cybersecurity advice. So it's hardly surprising that the U.S. Department of Justice has released new guidelines on that very topic. The U.K.'s National Cyber Security Centre is poised to follow suit.
But despite all the free and readily available advice that's floating around out there, studies keep popping up that say people aren't paying enough attention or have adopted a laissez-faire approach to cybersecurity.
Celebrity case in point: Kanye West, who already has been on the wrong end of several data breaches, accidentally showed the world his iPhone password during a live broadcast of his meeting with President Donald Trump.
And Kanye's not alone. A report released today from Oregon-based ethics and compliance software and services company NAVEX Global showed that businesses also aren't doing enough to guard their valuable data.
More than 30 percent of the organizations that responded to the survey said they used “basic or reactive” programs to manage risks posed by contractors, consultants, data vendors, marketers and a host of other third parties that could gain access to a company's data.
The study, which involved 1,200 respondents who “influence or manage their organization's ethics and compliance programs,” also found that more than a third of the participants relied on paper records or “disparate software,” such as word processing and spreadsheets, to carry out third-party risk assessment and management programs.
The DOJ would not be impressed, but it also probably wouldn't be shocked.
The agency noted in its revised cybersecurity guidelines released last month that yet another study published earlier this year—this one surveyed nearly 3,000 IT professionals—revealed that a whopping 77 percent of the respondents didn't have a formal cybersecurity incident response plan.
In the revised guidelines, the DOJ stressed, for the first time, the importance of keeping senior management in the cybersecurity loop.
“This is a serious enough issue that it cannot be left to the working level for the planning to be done. And management shouldn't just get involved in the initial stage, they should be involved throughout as the plan is adopted and set into motion,” said Ronald Cheng, a partner at O'Melveny & Myers in Hong Kong and Los Angeles. He focuses on data security and privacy.
The DOJ recommended that companies spend more time planning for cybersecurity attacks, which means being more proactive about finding and patching security vulnerabilities. Using server logs and monitoring network traffic can help identify which computer systems are affected and where the intrusion originated.
“You can sum up the main difference [between the original and revised DOJ guidelines] in one word: Preparedness. This updated version has a far greater focus on what organizations should do before you experience an incident,” said counsel Samuel Cullari, a data security expert at Reed Smith in Philadelphia.
More companies are turning to incident response firms in the wake of cybersecurity incidents, according to the DOJ, which advised that businesses do their due diligence to ensure that the firms they hire are “well acquainted with forensically sound methods of evidence collection that do not taint or destroy evidence.” That's because the firms often show up before federal investigators are contacted, according to the DOJ.
Another addition to the guidelines concerns cloud storage, which the DOJ said was convenient and relatively secure though still not immune from cyber threats. It's important to ensure that a company's cloud storage is adequately guarded.
It's also smart to have an agreement with a cloud service provider that not only allows law enforcement and incident response firms to access a company's data in the event of a breach but also requires that the provider assist in the investigation.
Here are a few other takeaways:
- Have a plan in place that includes key notification contacts inside and outside the company in order to react quickly and effectively to an incident.
- At least one of those contacts should be law enforcement, so it's a good idea to get to know a local federal agent before there's a data breach.
- Keep a written record of the company's response to the incident, which will be helpful if the investigation leads to a criminal or civil case.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Aggressive FTC May Force Merging Companies to Bolster Legal Defenses
4 minute read
Best Legal Departments: How Blackstone's Legal and Compliance Team Got the All-Clear to Grow Business
CEOs Want Data-Based Risk Management; GCs Lack the Tech to Do So.
InCloudCounsel Hires First GC to Continue Expansion in Asia
Trending Stories
- 1Judicial Ethics Opinion 24-59
- 2The American Lawyer Names Industry Award Winners
- 3Regulatory Upheaval Is Coming. How Businesses Prepare and Respond Will Separate Winners and Losers
- 4Cravath Elevates 7 to Partnership, Up From Last Year
- 5Kline & Specter Hit With Lawsuit From Another Former Associate
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
